pod2g has just published a blog regarding an SMS vulnerability he's found in iOS that could allow someone to abuse the protocol for SMS in order to spoof or send fake text messages. The exploit has been an issue since the incarnation of iOS and is still present in iOS 6 beta 4.
He's now urging Apple to fix it.
He goes on to explain a bit about the protocol that is used to send SMS messages, PDU (Protocol Description Unit), and how it works.
PDU is a protocol that is pretty dense, allowing different types of messages to be emitted. Some examples : SMS, Flash SMS, Voice mail alerts, EMS, ... The specification is large and pretty complex. As an example, just to code the data, there are multiple possible choices : 7bit, 8bit, UCS2 (16bit), compressed or not, ...
The problem is that if you own a smartphone or a modem you have the ability to send messages in this raw type of format. There's also an optional section, UDH (User Data Header), that not all smartphones are compatible with but that allows more advanced features to be sent in a message. Some of these "more advanced features" include changing the reply-to address or sending the message from a different number altogether. The iPhone does support these features and contains a vulnerability that makes it susceptible to attacks by hackers that may choose to abuse this system.
pod2g lays out a few ways in which hackers could take advantage of this exploit:
- pirates could send a message that seems to come from the bank of the receiver asking for some private information, or inviting them to go to a dedicated website. [Phishing]
- one could send a spoofed message to your device and use it as a false evidence.
- anything you can imagine that could be utilized to manipulate people, letting them trust somebody or some organization texted them.
There are tools already available that make it rather simple to manipulate this data on smartphones. He's also created a tool for the iPhone 4 that he also plans on releasing. He is currently urging Apple to fix the issue before the public release of iOS 6 and warns that you should never trust an SMS message containing sensitive data on your iPhone in the time being.
Do you think releasing the tool will get Apple's attention or just cause more issues in the mean time for end users?
Source: pod2g
Regulator: Apple's Dutch App Store payment climb down doesn't go far enough
Apple has been told that its plans to allow Dutch dating apps to use third-party payment systems don't go far enough and that it could be forced to hand over 50 million euros as a result.
How to get all Green Stars and Stamps in Super Mario 3D World
It can be tricky finding all 380 Green Stars in Super Mario 3D World + Bowser's Fury, but we're here to help. Don't forget to grab all 85 Stamps along the way as well.
Nintendo recap: Pokémon leaks, Kingdom Hearts coming to Switch, and more
Pokemon Legends: Arceus leaks online, Castlevania NFTs sell for a ton of money, and, oh yeah, Microsoft bought Activision Blizzard. There's even more to discuss on this week's Nintendo recap.
Show off your sophisticated side with these leather Apple Watch bands
You can get a stylish leather band for your Apple Watch no matter your price point. Here are some options.